|
November, 1998
Y2K and Vendor Management This Bulletin offers views of a legal nature and are those of the
author. Member agencies should consult their own legal counsel concerning the matters discussed in this Bulletin. The Paper Blizzard The looming Y2K storm is building strength and getting nearer:
¨ Software vendors are receiving letters seeking answers on the
Y2K "compliance" of the vendor's products. ¨
Customers are sending letters to companies they do business with, seeking a statement of the companies' Y2K "readiness". ¨
Companies are sending letters to their service providers asking whether they are ready for Y2K. ¨ Bank regulators are questioning banks; banks are quizzing their borrowers and outside auditors are asking corporate management
to describe and quantify their exposure.
These contacts inevitably involve legal posturing and an effort to establish legal leverage for current or future use, such as defense against Y2K related legal action. The questions posed and the answers given
have tremendous legal significance, and cannot be taken lightly. Internal Risk Analysis To assess internally–caused Y2K risk – that being posed by internal systems – notices and questionnaires should be sent to vendors, equipment vendors and other such contractors
that support your internal systems. These notices and questionnaires are intended to determine:
i. the status of the sender's equipment/software/systems; ii. if the systems are Y2K vulnerable ("non-compliant")
iii. to determine the intentions of the vendors and contractors (i.e. whether they intend to fix it, when they intend to fix it and at what cost)
The response by the vendor/contractor will have significant legal consequences to both the vendor/contractor and you. First, the vendor/contractor may not be required to provide an answer and some may even
determine it is not even necessary to respond to protect their business relationships or reputation. As odd as it seems, a vendor may be under no legal obligation to respond. Nevertheless, most will answer
(to preserve a business relationship or to avoid liability for withholding information). If the vendor/contractor indicates that their products are
Y2K compliant, then they may have created a new warranty for their product(s). For that reason, most vendor responses will include a number of disclaimers and conditions to limit the scope and effect of the their statements. This has the potential to create a volley of correspondence between you and the vendor to agree on a Y2K "compliance" or "readiness" definition. As frustrating as this process may seem, it is a key step in any Y2K Risk Analysis.
If the vendor/contractor indicates that its products are not
Y2K compliant, a potential legal dispute is now established. The applicable license/support agreement in addition to statutory and common law may put you and the vendor at odds as to the vendor's responsibility. However, now that you are aware of the vendor's position, it becomes your responsibility to take action. From this point forward – regardless of the vendor's legal obligation – you are responsible for further damages caused by inaction (in legal-ese, you have the responsibility to mitigate damages). For example, in July, 1997, IBM sent a mass mailing to its customers indicating that:
i. Many IBM products now in use are not Y2K compliant ii. IBM does not intend to "fix" these products iii.
IBM will gladly sell you new, Y2K compliant products
IBM's position – denying responsibility for the problem – may be subject to dispute, but the spotlight now shifts to the recipients of the letter, who now have a responsibility to mitigate damages.
External Risk Analysis Even if you fully resolve your internal risk, you have not
insulated yourself from externally-generated risks arising from the Y2K non-compliance
of other persons or companies. To achieve full insulation, you need to determine the readiness of suppliers of necessary materials (i.e. chemicals). When a supplier receives a Y2K inquiry from you, they have essentially been put on notice that you consider the Y2K problem to be serious and that you are relying on them remain in operation regardless of the problem. This changes your legal relationship significantly. At this point, the supplier loses the ability to claim ignorance of the problem, or uncertainty as to the indirect consequences of the problem. In other words, if the supplier does not address its internal Y2K problem, it is much more likely to be held for economic damages caused to you on the theory that it was negligent to have done nothing when advised of the problem and its probable consequences.
An additional purpose served by sending these notices to suppliers is to show ongoing due diligence. In fact, an underlyingpurpose in sending these letters is to enable you to consider the supplier's
capability to fulfill contractual obligations, and to allow you to consider alternative sources. However, in many cases, the recipient of this notice may be under no legal obligation to respond; and you may incur
liability by terminating a contract based on a non-response or an unsatisfactory response. In the absence of a clear contractual right to have such an inquiry answered, the recipient may be justified in
ignoring or evading an effective response. Moreover, even if the supplier fails to respond, or responds in a manner suggesting Y2K non-compliance, there may be no legal basis (contractual, statutory or common law)
to justify termination of a business relationship and no statutory support for termination, then an attempted termination may expose you to liability for breaching the contract. If there is a legitimate concern
that a key supplier is exposing you to risk due to their inadequate response to the Y2K bug, your actions (including contract termination) should be evaluated by your legal counsel. Vendor Management Process Vendor management involves
identifying sources of Y2K compliance data for a system including the correct manufacturer of the system, vendor point of contact, plans, schedules, compliance statements, and testing data, if available, and any
additional data on the system that will support the assessment effort. Be warned – this is a time consuming process. Reports indicate that not all vendors will respond quickly, if at all; some system
vendors may no longer exist. Vendors may commit to future dates for Y2K compliance. It will be necessary to follow-up and verify that these commitment dates are being met. Procedural Steps
Step 1: Review
This process begins with reviewing the site survey results and determining if any crucial information is missing, such as model number or manufacturer/vendor name. Having all the information available
up-front will make the vendor contacts much more effective and less time consuming.
Step 2: Vendor Contacts
Identify contact names, address and phone number for each vendor. Contact the vendor to inform them of the survey effort and its purpose, verify the correct name, address and point of contact for the system
involved and inform them that they will be receiving a vendor survey letter and the need for a timely response. In some cases, particularly for recently procured equipment, the system may already be Y2K
compliant, or the vendor included provisions for achieving compliance. This information can usually be found in the system's user or maintenance manuals, in press releases, or through the individual vendor
web-site. It is important to make a copy of the vendor's statement, and for critical systems, it would be advisable to contact the vendor and verify that a specific system is compliant. In cases where the
vendor no longer exists or the system is custom built, check for system documentation such as planning documents, system requirement/design specifications, test-related documents, drawing packages and maintenance
manuals. These should describe how the system functions and contain information data flow diagrams, input/output specifications, operational cycles, initial start-up and restart procedures, interfaces, and
test and maintenance procedures. Step 3: Vendor Letters The vendor survey letter requests written confirmation of Y2K compliance status, plans for supporting systems if they are
not compliant and the costs for any upgrades or retrofits needed to accomplish compliance. The letter also specifies a deadline for the vendor's response. Anticipate that responses may be slow; vendors
are being contacted every day about compliance of their products. A copy of the vendor letter developed and used by the State of California is included with this Bulletin.
Step 4: Vendor Responses Review all vendor responses and flag all unclear, incomplete or questionable responses for further research. Vendor product certifications should be carefully
reviewed. When an e-mail response is received, make certain that it contains a vendor logo or other specific identifying method that ties the response directly to the vendor; make a hard copy, date-stamped
print-out of the web site data.
What Is CSRMA Doing To Help You? CSRMA is actively following proposed
and pending legislation in all 50 states and at the federal level with regards to the Y2K issue. We are also researching the legislative activities of other organizations to determine where CSRMA may most
effectively lend its voice of support. CSRMA will keep its members updated with legislative developments, as they occur. The following is a summary of California legislative activity to date:
Bill Number |
Summary |
Status |
AB1710 |
Relates to computer failure liability. Specifies that recovery of damages resulting from computer date failure would be limited to damages
resulting from bodily injury. Excludes emotional injury. Provides for costs reasonably incurred to reprogram or replace and internally test the relevant computer system, computer program or
software, or internal hardware timer. Specifies that in an action to recover damages resulting from a computer date failure, damages recoverable for non-economic losses shall not exceed $250,000 |
Failed |
AB1934 |
Specifies that in an action to recover damages resulting from a computer date failure, damages recoverable to non-economic losses shall not exceed
$250,000 |
Failed, but will be reintroduced |
AB1345 |
This bill would enact the Year 2000 Problem Vendor Compliance and Contracting Act to authorize any public entity to submit a written request for
information regarding the Year 2000 Problem, as defined, to any contractor who is under contract to provide, or was at any time under contract to provide, specified projects, materials, supplies, equipment,
services or real property. |
Signed, pending enactment |
AJR 72 |
Memorializes Congress to give Y2K computer date related issues the highest priority |
Passed |
SB2000 |
Provides immunity to public entities and their employees and officers, as defined, from liability arising from an incorrect date produced,
calculated or generated by a computer or other information system. |
Failed |
SB1173 |
Provides immunity from liability for tort damages to any person or entity, including government entities, for injury resulting from the disclosure
of information relating to the Year 2000 Problem. Specifically includes persons who disclaim the universal application of provided solutions. Excludes persons from such protection who either
knowingly provide solutions which are material and false, inaccurate or misleading. Does not apply to persons or entities that provide Year 2000 solutions for profit. |
Signed, pending enactment |
Additional Resources Available
This issue is of magnitude and CSRMA is working to ensure that all members are kept abreast of legislation affecting the Y2K Bug, as well as assisting you, where possible, to become "Y2K
Aware". The following statement puts the issue in perspective: "Owing to past neglect, in the face of the plainest warnings, we have now entered upon a period of
danger. The era of procrastination, of halfmeasures,…of delays, is coming to its close. In its place we are entering a period of consequences…We cannot avoid this period, we are in it
now…Unless…,this House resolves to find out the truth for itself, it will have committed an act of abdication of duty without parallel."
Winston Churchill, November 12, 1936, Testimony to the House of Commons: Debate on National Defense Posture
If you or your staff should have any questions or would like to receive additional information, please contact: David Patzer Risk Control Advisor (415) 371-5430 dpatzer@rfdriver.com
|
---> 
